diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 730546aa6..1fbe6acaa 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -957,16 +957,17 @@ class ProjectsController < ApplicationController
   end
 # end
 
+  before_filter :toggleCourse, only: [:finishcourse, :restartcourse]
   # TODO:#finishcourse and #restartcourse 没有设置权限，也就是说，任何人的调用都会关闭or重启课程。
   # 最好通过用户与项目的权限解决这种事情。还没写
   def finishcourse
-    course_prefs = Course.find_by_extra(@project.identifier)
+    #course_prefs = Course.find_by_extra(@project.identifier)
     # setup_time = Time.parse(course_prefs.setup_time)
     # end_time = Time.parse(course_prefs.endup_time)
     yesterday = Date.today.prev_day.to_time
 
-    course_prefs.endup_time = yesterday
-    @save_flag = course_prefs.save
+    @course_prefs.endup_time = yesterday
+    @save_flag = @course_prefs.save
 
     respond_to do |format|
       format.js
@@ -974,11 +975,11 @@ class ProjectsController < ApplicationController
   end
 
   def restartcourse
-    course_prefs = Course.find_by_extra(@project.identifier)
+    #course_prefs = Course.find_by_extra(@project.identifier)
     day = Time.parse("3000-01-01")
 
-    course_prefs.endup_time = day
-    @save_flag = course_prefs.save
+    @course_prefs.endup_time = day
+    @save_flag = @course_prefs.save
 
     respond_to do |format|
       format.js {
@@ -988,6 +989,13 @@ class ProjectsController < ApplicationController
   end
 
   private
+  def toggleCourse
+    @course_prefs = Course.find_by_extra(@project.identifier)
+    unless (@course_prefs.teacher == User.current || User.current.admin?)
+      render_403
+    end
+  end
+
 
   def select_project_layout
     project = Project.find_by_id(params[:id])
diff --git a/app/views/courses/_set_course_time.html.erb b/app/views/courses/_set_course_time.html.erb
index d13d256c1..6547cb281 100644
--- a/app/views/courses/_set_course_time.html.erb
+++ b/app/views/courses/_set_course_time.html.erb
@@ -4,7 +4,7 @@
 %>
 
 <% if display && course_endTime_timeout?(project) #如果课程已结束%>
-	<%= link_to '重启课程', restartcourse_project_path(project), :remote => true, :method => :post, :id => id, :confirm => ('确定要重启课程？') %>
+	<%= link_to '重启课程', restartcourse_project_path(project, format: :js), :remote => true, :method => :post, :id => id, :confirm => ('确定要重启课程？') %>
 <% else %>
-	<%= link_to '关闭课程', finishcourse_project_path(project), :remote => true, :method => :post, :id => id, :confirm => ('确定要关闭课程？') %>
+	<%= link_to '关闭课程', finishcourse_project_path(project, format: :js), :remote => true, :method => :post, :id => id, :confirm => ('确定要关闭课程？') %>
 <% end %>
diff --git a/app/views/projects/finishcourse.js.erb b/app/views/projects/finishcourse.js.erb
index 35ecac370..2486bfffb 100644
--- a/app/views/projects/finishcourse.js.erb
+++ b/app/views/projects/finishcourse.js.erb
@@ -4,5 +4,5 @@
 	<% end %>
 	$('#finish_course_<%=@project.id%>').replaceWith("<%= j(render partial: 'courses/set_course_time', :locals => {:project => @project} )%>")
 <% else %>
-	alert('设置失败，请在论坛提交问题，等待管理员处理。');
+	alert('权限不足，设置失败，请在论坛提交问题，等待管理员处理。');
 <% end  %>